PHP Fusion question
Im currently helping to modify a php fusion site for a friend, but running into a bit of php/sql trouble. My php is a bit weak.
Im trying script an automatic account upgrade from a registered member to an actual member (2 different permission user groups). I created a custom page and can get it to identify the correct password, but I do not know how to identify the user that entered the password so that I can make the sql line effect only his account.
Here is the custom page code
<center>
<form name="input" action="" method="post">
Password:
<input type="text" name="pass">
<input type="submit" value="Submit" class="button">
</form>
<?php
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password")
{
echo 'Your Account has been upgraded';
//Some code here get uid and modify the table to upgrade permissions
}
else
echo 'Wrong Password, please try again.';
?>
</center>
Any suggestions / ideas?
Look for SELECT FROM statements on W3schools.
Hint: your question has nothing to do with PHP, rather, you should have been asking about SQL statements. This means that besides your weak PHP, your SQL skills also could use an upgrade. And -this- means you shouldn't even try to help your friends in the first place, since your webprogramming skills are weak.
Anyway, SELECT FROM, go from there.
Solved – albiet sloppy and insecure. But,…
A) Not my website B) Probably not the most insecure thing about the website C) It works.
Anyways here's the code I used. If any better ideas jump in your head feel free to post them.
<center>
<form name="input" action="" method="post">
Password:
<input type="text" name="pass">
<input type="submit" value="Submit" class="button">
</form>
<?php
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password")
{
$uid = floor($fusion_user);
$result = mysql_query( "SELECT * FROM fusion_users WHERE user_id='$uid'");
while($row = mysql_fetch_array($result))
{
if ($row['user_groups']=='.1')
{
echo 'Account already Upgraded';
}
elseif ($row['user_groups']!='.1')
{
mysql_query("UPDATE fusion_users SET user_groups = '.1' WHERE user_id = '$uid'");
echo 'Upgraded Account';
}
}
}
else
echo 'Wrong Password, please try again.';
?>
</center>
Zephyr_Pure wrote: [quote]stdio wrote: if ($_POST["pass"]==NULL) {} elseif ($_POST["pass"]=="password") {
… Why? You're only acting on one conditional.[/quote]
Im confused by your question/statement please elaborate.
If you are referring to the if, elseif, else. It does nothing if left blank (if),.. moves on if password correct (elseif)… and displays error message if wrong (else)
stdio wrote: If you are referring to the if, elseif, else. It does nothing if left blank (if),.. moves on if password correct (elseif)… and displays error message if wrong (else) You're only gauging success on one conditional (password is correct), or you're either throwing an error or doing nothing. Why do "nothing" if it's null? The pass is wrong whether it's null or "wrong". Just seems like an unnecessary extra conditional at the top.
stdio wrote: Solved – albiet sloppy and insecure. But,…
A) Not my website B) Probably not the most insecure thing about the website C) It works.
A: it's your friend's website, right? Grow some morals. B: Fix the other things too. C: Like Space Shuttle Columbia worked.
Now, don't get me wrong. I love lousy excuses just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
Go code.
spyware wrote:
A: it's your friend's website, right? Grow some morals. B: Fix the other things too. C: Like Space Shuttle Columbia worked.
Now, don't get me wrong. I love lousy excuses just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
Go code.
Not my website has nothing to do with my morals, it has to do with time. He asked me as a favor to help him with something that would do exactly what it does… keep him from having to manually change every user that he needs too.. (about 50 total people). I gladly spent a few hours looking into how to do and finding away to do it. I flat out dont have the time to dedicate more to just a simple task.
Secondly, just because hes my friend, doesnt mean he doesnt have the same resources that I do interms using the internet. Again time is the major factor here. I would take a really long time to try and go through php fusion and try to fix everything. Let me use this website as an example… Developers here spent many hours coding/fixing this website. Its a php fusion website. Now with 1000's of users and 1000s of hours in total of people on it (specifically people looking to learn/teach/practice all sorts of tasks related to computer security),… there are STILL flaws in it.
Thirdly, bad comparrison to the columbia shuttle. There are SQL backups, so if someone where to hack it, the worst that would happen is a loss of a few hours, not people dieing. Quantify your risk vs rewards better imo.
Now, don't get me wrong. I love lousy critisism just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
spyware wrote: C: Like Space Shuttle Columbia worked.
stdio wrote: Thirdly, bad comparrison to the columbia shuttle. There are SQL backups, so if someone where to hack it, the worst that would happen is a loss of a few hours, not people dieing. Quantify your risk vs rewards better imo.
Well, the rest of it was pleasant to read except for this one. Now, I know a lot of people like to take things rather literally at times but, in this case, the comparison was just dealing with the functional adequacy of the two. Really, it wouldn't have mattered if there was just a barrel of grapefruit on Columbia at the time of that incident… a functional failure is still a failure. Don't quantify adequacy or stability by what's at stake but, rather, by an educated success rate estimate and vulnerability assessment.
Other than that, carry on… your friend's site's security is of no concern to me, anyways.